Malware-Traffic-Analysis.net - 2017-06-12

2017-06-12 - TRICKBOT INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

Shown above: An example of the emails.

6 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT -- ZIP IN THE ZIP -- EXTRACTED .WSF FILE

2017-06-12 15:17:14 UTC -- NoReplyMailbox@harrison-lewis[.]co[.]uk -- Invoice PIS7602708 -- invoicepis7602708.zip -- JXZQTUD.zip -- JXZQTUD.wsf
2017-06-12 15:17:59 UTC -- NoReplyMailbox@ukmorgans[.]com -- Invoice PIS6475328 -- invoicepis6475328.zip -- LZTFBQLX6G.zip -- LZTFBQLX6G.wsf
2017-06-12 15:19:15 UTC -- NoReplyMailbox@phibberd.globalnet[.]co[.]uk -- Invoice PIS2523626 -- invoicepis2523626.zip -- LZTFBQLX6G.zip -- LZTFBQLX6G.wsf
2017-06-12 15:19:24 UTC -- NoReplyMailbox@baileysecretarial[.]co[.]uk -- Invoice PIS2550675 -- invoicepis2550675.zip -- LZTFBQLX6G.zip -- LZTFBQLX6G.wsf
2017-06-12 15:19:33 UTC -- NoReplyMailbox@schoony[.]co[.]uk -- Invoice PIS4526120 -- invoicepis4526120.zip -- TOTAHZEQT.zip -- TOTAHZEQT.wsf
2017-06-12 15:20:17 UTC -- NoReplyMailbox@sunilx.globalnet[.]co[.]uk -- Invoice PIS8761504 -- invoicepis8761504.zip -- TOTAHZEQT.zip -- TOTAHZEQT.wsf

Shown above: The attached zip archive contains another zip archive which, in turn, contains a Windows Script File (WSF) file.

SHA256 HASHES FOR THE ZIP ATTACHMENTS:

2f27185e5f7ada26909971bd5b40e4ebaea9ecf140a14bbc1dc687e3e97804e0 - invoicepis2523626.zip
37e190f1947a7b4a43844f5e101bb3cd2635654b200e136502a3beec2f9c0529 - invoicepis8761504.zip
79c184367106d0efd1f3154e3100bafca3f3843c973234b10302b5e1e34f15e1 - invoicepis2550675.zip

SHA256 HASHES FOR THE EXTRACTED .WSF FILES:

0411fe66e423186a0bce645fb814958e70d460f1bd1528e107a9a81ec51cfc14 - TOTAHZEQT.wsf
2317ebe1385283e7ae50f7153048aea4e0747211839522fe9324dc5b0c77e8e9 - JXZQTUD.wsf
d9351db902a8f3031d0ee410f4682f6896fa8dac8ccfe21d6a6c92f46844ae20 - LZTFBQLX6G.wsf

TRICKBOT SAMPLE:

SHA256 hash: c305ebba4a998304919ada152c3eb3fe4037baa4526a9c16959b43c754743277
File size: 495,616 bytes
File location: C:\Users\[username]\AppData\Local\Temp\ceRTYeYSAjg1.exe
File location: C:\Users\[username]\AppData\Local\Temp\wvHyIX1.exe
File location: C:\Users\[username]\AppData\Local\Temp\XiIxdgMgRIk3.exe

OTHER MALWARE NOTED:

SHA256 hash: 239ce47b51508c1adefc8fb753d19075126923e657337f9aebcb63c954266d5a
File size: 98,068 bytes
File location: C:\Users\[username]\AppData\Local\Temp\XiIxdgMgRIk2.exe

URLS FROM THE .WSF FILES TO DOWNLOAD TRICKBOT:

TRICKBOT POST-INFECTION TRAFFIC:

ip.anysrc[.]net, ipecho[.]net, wtfismyip[.]com, or possibly others - IP address check
85.228.193[.]94 port 447 - Trickbot post-infection traffic
89.231.13[.]27 port 443 - Trickbot post-infection traffic
5.45.87[.]24 port 447 - Attempted TCP connection, but no response from the server
185.203.243[.]113 port 443 - Attempted TCP connection, but no response from the server

Shown above: Traffic from one of the infections filtered in Wireshark.

Shown above: Some alerts on the infection traffic from the Emerging Threats ruleset using Sguil and tcpreplay on Security Onion.

Shown above: Another infection from this malspam (note the different domain for the IP address check).

Shown above: Yet another infection from this malspam (note yet another different domain for the IP address check).

Shown above: Artifacts discovered on one of the infected hosts.

Click here to return to the main page.